57054 – PostgreSQL 11 - open CVE-2024-0985

Bug 57054 - PostgreSQL 11 - open CVE-2024-0985

Summary: PostgreSQL 11 - open CVE-2024-0985

Status:	RESOLVED DUPLICATE of bug 57175

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	PostgreSQL
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assignee:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-02-13 10:23 CET by Fabian Schneider
Modified:	2024-11-21 17:07 CET (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2024021221000514
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fabian Schneider

2024-02-13 10:23:08 CET

The UCS 5.0 Release series contains the postgresql package which is affected by
- https://security-tracker.debian.org/tracker/CVE-2024-0985

As postgresql is EOL and the last official update came in november, it's possibly necessary to mitigate the issue when patches are available for version 13.

The issue should not be critical in normal UCS environments, as:
"The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view."
"The victim is a superuser or member of one of the attacker's roles."

Comment 1 Jan-Luca Kiok

2024-11-21 17:07:24 CET


*** This bug has been marked as a duplicate of bug 57175 ***